This Worm Only Wants to Heal

W32/Nachi.B.goes around cleaning up messes left over by other, more virulent worms and e-mail viruses.
Plus:
Tip: Making Internet Explorer more secure
The Top E-mail Viruses
The Top Vulnerabilities
Microsoft Releases Three more patches

Contents

We first witnessed the MyDoom.A explosion, and subsequent Denial of Service attack that took the Santa Cruz Operation (sco.com) web site out for two weeks. Then along came MyDoom.B, which added Microsoft.com as a target of a DoS attack. While MyDoom.A took off with a vengeance, MyDoom.B, like a "B" movie, was a dud. According to Mark Sunner CTO at MessageLabs, MyDoom.B had bugs in the code that caused it to only be successful in an attack of SCO 70% of the time, and 0% when attacking Microsoft. He also said that there was "more chance of reading about MyDoom.B, than catching it."

This past week we've seen an explosion of viruses riding on the coat tails of MyDoom.A's successful takeover of hundreds of thousands of machines. The first to hit the scene was Doomjuice.A (also called MyDoom.C). Doomjuice.A, wasn't another e-mail virus, but it took advantage of a backdoor that MyDoom.A opened on infected machines. Doomjuice would download to a MyDoom infected machine, and like MyDoom.B, install and attempt to carry out a DoS attack on Microsoft.com. According to Microsoft, the attack was not adversely affecting them around the 9th and 10th, though NetCraft recorded that the Microsoft site was unreachable at one point.

Antivirus experts believe that Doomjuice was the work of the same author(s) of MyDoom, because it also drops a copy of the original MyDoom source on the victim machine. According to a press release from F-secure, this may be a way for the authors to cover their tracks. It also releases a working source code file to other virus writers to either use or modify. So MyDoom.A and MyDoom.B, like Microsoft Windows and Office themselves, has now become a platform for other viruses to propagate. Within the last week we've seen the emergence of W32/Doomjuice.A, W32/Doomjuice.B, W32/Vesser.worm.A, W32/Vesser.worm.B, exploit-MyDoom - a Trojan variant of Proxy-Mitglieter, W32/Deadhat.A, and W32/Deadhat.B, all entering MyDoom's backdoor. Vesser.worm/DeadHat.B, also use the SoulSeek P2P file sharing network.

On Feb 12th, W32/Nachi.B.worm was discovered. Like its predecessor, W32/Nachi.A.worm (also known as Welchia), Nachi.B propagates by exploiting RPC/DCOM and WebDAV vulnerabilities. While still a virus/worm, Nachi.B attempts to remove MyDoom and close vulnerabilities. By Friday, Feb 13th, Nachi.B had made it to the #2 spot on a couple of vendors' threat lists (Trend, McAfee). Because it doesn't use e-mail, it won't show up on our MessageLabs's top ten e-mail virus list. Preventing Nachi.B infection is the same as for Nachi.A, apply all current Windows Security patches to close vulnerabilities. See our Top Threat for more information.

On Friday Feb 13th, we saw another MyDoom harpoon, W32/DoomHunt.A. This virus uses the MyDoom.A backdoor, and shuts down processes and deletes registry keys associated with its target. Unlike Nachi.B, which works quietly in the background, DoomHunt.A pops up a dialog box proclaiming "MyDoom Removal Worm (DDOS the RIAA)". It installs itself in the Windows System folder as an obvious Worm.exe, and adds a registry key with the value "Delete Me"="worm.exe". Removal is the same as any worm, stop the worm.exe process, scan with an antivirus, delete the Worm.exe file and any associated files, and remove the registry key. Of course, make sure you update your machine with the latest security patches.

While there is no way to know exactly, estimates ranged from 50,000 to as high as 400,000 actively infected MyDoom.A machines. Doomjuice could only propagate by accessing the back door of MyDoom, so uninfected users were not at risk, and as infections were cleaned, the field of available machines would go down. However, the one danger is that while MyDoom.A was scheduled to stop its DoS attacks on Feb 12th, Doomjuice does not have a timeout. Last week we mentioned seeing the MyDoom.A explosion unfold on a MessageLabs Flash animation, and promised to get it for all to see.
Here it is
.

Microsoft announced three more vulnerabilities and released patches this week. Two are important level priority, and one is critical level. The top vulnerability involves a code library in Windows that is central to secure web and local applications. For more information on the vulnerability, its implications and what you need to do, see our special report. The other two vulnerabilities involve the Windows Internet Naming Service (WINS) service, and the other is in the Mac version of Virtual PC. See our Windows Security Updates section for more information.

If it looks like a duck, walks like a duck, and quacks like a duck, is it a duck, or a virus? Maybe, maybe not, but AOL was warning
(Figure 1)
users not to click on a message that was making the rounds via Instant Messenger last week.
The message contained a link that installs a game, either Capture Saddam or Night Rapter, depending on the version of the message
(Figure 2)
. The game included BuddyLinks, a virus like technology that automatically sends copies of the message to everyone on your buddy list. The technology does both viral marketing with its automated message campaign, and sends you advertising and may hijack (redirect) your browser. As of Friday, both the game website (www.wgutv.com) and the Buddylinks site (www.buddylinks.net) were down, and the Cambridge based Buddylinks company was not returning phone calls.

Update: Last week we told you about a fake Do Not Email web site, promising to cut spam, but was actually an email address collector for spammers. This week, a Reuters story reports that the US Federal Trade commission is warning, "Consumers should not submit their e-mail addresses to a Web site that promises to reduce unwanted "spam" because it is fraudulent". The article goes on to describe the site, and recommends, as we have been, to "keep your personal info to yourself  including your e-mail address  unless you know who you're dealing with."

On Thursday Feb 12th, Microsoft found out that some of its source code was circulating on the web. They traced it to MainSoft, a company that makes a Windows-to-Unix interface for Unix application programmers. MainSoft has been licensing the Windows 2000 source code, specifically the part that has to do with the API (application program interface) of Windows. According to an eWeek story, the code is not complete or compilable. While the Windows API is well published, the underlying source code is not. The API is a collection of code functions and routines that carry out the tasks of running Windows, such as putting buttons on the screen, doing security, or writing files to the hard disk. Many of the vulnerabilities in Windows stem from unchecked buffers and parameters to these functions. Often the vulnerabilities involve passing specially crafted messages or parameters to these functions, causing them to fail and open the system to exploitation. Since much of the Windows 2000 code is also incorporated in Windows XP and Windows 2003 server, having the source code may allow virus writers and malicious users to more easily find holes in specific routines and exploit them. While vulnerabilities are typically identified by Microsoft or 3rd party sources before they become public, giving time to issue patches, this may turn that procedure on its head, putting hackers in the position of discovering and exploiting vulnerabilities before Microsoft finds and patches them.

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.